DeFi platform Yearn Finance’s yETH product was hit with an unlimited token mint on Monday, draining the entire yETH pool in a single transaction.
Yearn later confirmed the “incident”, ensuring that its V2 and V3 vaults remain secure and unaffected.
We are investigating an incident involving the stablecoin exchange pool yETH LST. Yearn Vaults (V2 and V3) are not affected. — yearn (@yearnfi)
According to , the exploit generated a near infinite number of yETH, draining millions of balancer pools. The attackers profited from approximately 1,000 ETH, worth $3 million, which was routed through the Tornado Cash mixer.
yETH is an index token composed of several different versions of ETH, in other words, Ethereum Liquid Staking Derivatives (LST). The attack was first reported by a , which highlighted “heavy transactions” on LSTs, including yearn, rocket pool, origin and dinero. The yETH incident puts DeFi security under the lens.
The incident apparently involved several newly deployed smart contracts, which self-destructed after the transaction, according to blockchain data. The total financial losses remain unclear; However, the yETH pool had a total value of around $11 million before the attack.
Following this exploit, mixed reactions came from the community, with some expressing concern over the continued use of outdated contracts.
Additionally, Yearn Finance, affecting its yDAI vault and losing $11 million in value. The hacker apparently got away with $2.8 million at the time. Later, this protocol reported a faulty script in December 2023, erasing 63% of a position in its treasury. Crypto lost $127 million to hacks and scams in November alone.
Meanwhile, blockchain security firm CertiK reported that the crypto industry suffered an estimated $127 million in losses due to hacks and exploits.
The company’s monthly threat report indicated that the funds actually affected totaled more than $172 million. However, these figures decreased by $45 million after some of the stolen funds were recovered.
The Balancer DeFi protocol attack topped the list of major exploits in November, marking one of the biggest DeFi security breaches of 2025. The platform lost over $116 million in a sophisticated cross-chain exploit that affected multiple blockchains.
According to CertiK data, around $135 million was lost in DeFi incidents, followed by $29.8 million in exchange hacks.
